mod_security improved <DirectoryMatch "/\.(.+)"> to suit LE

Nap · March 3, 2016, 5:26pm

My security.conf has the following entry:

<DirectoryMatch "/\.(.+)">
   Require all denied
</DirectoryMatch>

That blocks all hidden directories. So I’m trying to alter the entry to block everything but ‘.well-known’ using the following:

<DirectoryMatch ~ "^/\.((?!well\-known$).*)">

I’ve tested the regex expression using two separate engines and it works fine, but when apache2.4.7 processes it, it doesn’t do what I expected and allows just about everything.

Anyone able to assist me to tweak this?

Here we are trying to secure the net, and the folder choice for this challenge is going to break a lot of servers out there. Why was .well-known chosed from all the possible options?

motoko · March 3, 2016, 5:51pm

Apache HTTPd will match on the most specific block, I believe. Don’t edit the existing directory block. Rather, make an additional one that matches only the .well-known directory and that sets the access to what you need.

Nap · March 3, 2016, 5:56pm

I’ll try that.
So you can override afterwards?
With IndexIgnore, you can’t undo restrictions downstream.

Nap · March 3, 2016, 6:03pm

It’s not working, so it looks like I can’t override a previous restriction.
And if I put it before, then the <DirectoryMatch "/\.(.+)"> cancels it out.

My1 · March 3, 2016, 6:13pm

but why are you canceling hidden directories?

Nap · March 3, 2016, 6:26pm

I simplified the regex, and it’s working now.
In /etc/apache2/conf-available/security.conf, I have it as follows:

<DirectoryMatch "/\.(.+)">
  Require all denied
</DirectoryMatch>

<DirectoryMatch /.well-known>
   Require all granted
</DirectoryMatch>

Thanks!